Cesium CSP


I'm trying to build a Chrome app that uses the Cesium library, but there are some issues. The first issue is that Knockout is not CSP compliant. There is a fix for this: https://github.com/knockout/knockout/issues/903

I haven't gone much further to see how many more CSP violations there are.

I was wondering: Do you have any plans to make Cesium CSP compliant so it can be used in a Chrome (or FireFox OS) app?


I’ve actually just worked on this very situation for a project 2 weeks ago.

When developing a packaged Chrome App you cannot access external resources (except for audio and video). So to use Cesium you will need to include all your imagery within the applications resources. Look up using a Tile Map Server for your imagery instead.

The only other alternative is to use a webview in your application, which is basically a sandboxed iframe.

(Forgot to copy cesium-dev)


Thanks for the reply. I’m having a more basic problem: I’m starting with the viewer and I can’t get it to work because of the Knockout bindings (they use New function).

I was able to access external imagery by adding 1) changing the urls from dev.virtualearth.net to https://dev.virtualearth.net and 2) adding permissions in the manifest for that server. The CSP allows for this but makes no exception for eval and New function.

When I sandboxed it, it could not access any local files; as such it was useless (couldn’t get shader programs).

I might be able to use just the “globe” without knockout but I like the controls in the viewer. I tried the secure knockout bindings but it does not work with most of the existing binding specs.

So is this an extension or a packaged app, with a packaged app? I was unable to get Chrome to allow any reduction in policies for CSP in the packaged app I was working on.

Good news and maybe bad news regarding knockout. While the Cesium Viewer is heavily integrated with Knockout and very much a nontrivial update, the Widget has no dependancies on it. This means you should be able to initialize cesium using the Widget in your application. The potential bad news is that you will not be able to use most of the built-in UI controls. That doesn’t mean your dead in the water though, it just means you’ll need to hook up your own UI and hook up the events to the various components of the cesium scene.

While I don’t have any experience with CSP, in the long run I think this would be something that we should address, so I wrote up an issue for it. We would be willing to take pull requests if anyone is interested in working on it (assuming it does not adversely affect typical use cases). I have no idea what the level of effort would be.

As Mike pointed out, I see no reason why the CesiumWidget itself won’t work, but obviously you lose a lot of the base Viewer functionality.


I am trying to build a packaged app. The reason for the packaged app is that Google is rolling out a tool to convert packaged Chrome apps to Android: https://developer.chrome.com/apps/chrome_apps_on_mobile. And my app needs to connect to raw sockets so it can’t be pure javascript/html/css. So if I can get a packaged app to work, I can potentially run on Windows/Linux/Mac/Chromebook/Android with one code base. Sweet!

As an extension, I could get the full cesium viewer to work since extensions respect the ‘unsafe-eval’ option. This one line in the manifest makes everything work right (when the Cesium code is modified to use https://dev.virtualearth.net instead of //dev.virtualearth.net):

“content_security_policy”: “script-src ‘self’ ‘unsafe-eval’ https://dev.virtualearth.net; object-src ‘self’”,

As an app, I can still pull map tiles off an external server (see https://developer.chrome.com/apps/app_external#external) but I didn’t get that far since the Knockout library was the showstopper.

I’ll try using just the widget and see how it works out.

Thanks for the dialog.

Best regards,



If I come up with anything useful I’ll fork it and issue a pull request. Right now the only change I’d make is to explicitly state the https:// protocol for map/elevation URLs; Chrome’s CSP only allows the whitelisting of https (and local resources). Of course the data providers need to support this. dev.virtualearth.net does.



Can you keep me posted on this process as you progress. I’m very interested in this topic.


I worked on it last night. I have the widget working in a Google App (the “new” google app, not the legacy google app). It works and loads imagery from Bing’s servers. I had to make the following changes:

  1. Replace //dev.virtualearth.net with https://dev.virtualearth.net everywhere in the source code.

  2. There is a function that loads jsonp data (I forget the name). This function needs to be modified since ‘script.src=’ doesn’t work, even for whitelisted URLs. See https://developer.chrome.com/apps/app_external#external for the workaround; basically load the JSONP data as a blob and create a local URL. If you want I can send you the code I have.

  3. Add https://dev.virtualearth.net/* whitelist in the manifest under permissions

The problem is that the modification in step 2 to allow Cesium to load the JSONP metadata in a Google app does not work in a browser. The browser does not allow a cross domain XMLHttpRequest(). So to be fixed properly, the code base needs to know when to use the standard method of loading JSONP data and when to load JSONP data via a blob. I have not figured out how to do this. My next step is actually to test Google’s converter so that I can make the app run on Android and iOS.

Best regards,


That would be great. I definitely want to be able to make Cesium run in Chrome Apps without any hassles.